A family of weaponised doc (MS Office) files – in the wild – are targeting the Apple Mac platform, which is highly unusual given the low incidence of Apple Mac vulnerabilities. The fact that the weaponised attacks are already in the wild is of concern, as it means that regular Mac users – many of whom do not have the kind of IT security software on their machines that their Windows colleagues do – are vulnerable to infection and computer hijacking.
The hackers behind this latest family of attacks are the same anti-Tibetan group that I have been tracking for several weeks. The pro-Chinese hackers are continuing to escalate the cold war – which has existed between the two countries for more than 60 years – into cyberspace.
What is interesting about this latest attack vector is that, whilst the hacker group is the same one we have been tracking previously, they are now delivering two different Mac trojans along with a new one with better capabilities.
I have also found some “debug symbols” in the program code that give us information about the identities of the hackers and their “Longgege” project. We also have a name for the new trojan – MacControl..
Whilst direct information on the origins and target audience of these weaponised Doc files is scarce, the indications are that this element of the Longgege project is targeting the same Internet users and political pitch as seen with previous attacks.
The group behind this latest Longgege attack is almost certainly the same people identified by colleagues at Trend Micro earlier in the week and who are now turning their attention to vulnerable Apple Mac users.
This is one of the few times I have ever seen a malicious Office file used to deliver Malware on to the Apple Mac platform and which exploits a remote code execution vulnerability that exists in the way that MS-Word handles a specially crafted file that includes a malformed record.
An attacker who successfully exploits this vulnerability could take complete control of the user’s Mac and networked computers plus other resources – potentially even an entire corporate network. Put simply, this means that attackers could then install programs; view, change or delete data; or create new accounts with full user rights.
It’s important to note that users whose accounts have been configured to support fewer user rights on a given system are likely to be less impacted than users who operate with administrative user rights.
The MacControl trojan
Initial research suggests that several versions of the new MacControl trojan have been coded, including one with paths to debugging symbols, which may indicate the code has been written using a development package. Once installed, the malware copies itself into the Library directory, as well as creating a new version in order to maintain persistence when the computer reboots.
After this, the trojan opens a connection to a remote command-and-control server, routing a variety of data to the remote destination, which resolves to an IP connection on the China Unicom Beijing province network.
So far, so nasty, but the really bad news is that all the malware samples we have see to date have a 0/0 rate of detection. The weaponised doc files also seem to pass detection, suggesting the use of new and never-before-seen hacker coding techniques.
My observations suggest that the hackers involved in this latest anti-Tibet hacker initiative are highly innovative in their malware obfuscation and coding techniques, as well as almost certainly having access to powerful coding platforms.
For more on the Longgege Project: http://bit.ly/GXN5Vv